了解用于 Kubernetes 群集的 Azure PolicyUnderstand Azure Policy for Kubernetes clusters

Azure Policy 将扩展 Gatekeeper v3,这是一个用于 Open Policy Agent (OPA) 的许可控制器 Webhook,它以集中、一致的方式对群集应用大规模操作和安全措施。Azure Policy extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. 借助 Azure Policy,可以从一个位置管理和报告 Kubernetes 群集的符合性状态。Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place. 该加载项制定以下功能:The add-on enacts the following functions:

  • 检查 Azure Policy 服务对群集的策略分配。Checks with Azure Policy service for policy assignments to the cluster.
  • 将策略定义作为约束模板部署到群集中,并约束自定义资源。Deploys policy definitions into the cluster as constraint template and constraint custom resources.
  • 向 Azure Policy 服务报告审核和符合性详细信息。Reports auditing and compliance details back to Azure Policy service.

适用于 Kubernetes 的 Azure Policy 支持以下群集环境:Azure Policy for Kubernetes supports the following cluster environments:

重要

适用于 Kubernetes 的 Azure Policy 仅支持 Linux 节点池和内置策略定义。Azure Policy for Kubernetes only supports Linux node pools and built-in policy definitions. 内置策略定义属于“Kubernetes”类别。Built-in policy definitions are in the Kubernetes category.

概述Overview

若要启用 Azure Policy 并将其用于 Kubernetes 群集,请执行以下操作:To enable and use Azure Policy with your Kubernetes cluster, take the following actions:

  1. 配置 Kubernetes 群集并安装加载项:Configure your Kubernetes cluster and install the add-on:

    备注

    有关安装的常见问题,请参阅故障排除 - Azure Policy 加载项For common issues with installation, see Troubleshoot - Azure Policy Add-on.

  2. 了解适用于 Kubernetes 的 Azure Policy 语言Understand the Azure Policy language for Kubernetes

  3. 向 Kubernetes 群集分配内置定义Assign a built-in definition to your Kubernetes cluster

  4. 等待验证Wait for validation

限制Limitations

以下一般限制适用于 Kubernetes 群集的 Azure Policy 加载项:The following general limitations apply to the Azure Policy Add-on for Kubernetes clusters:

  • Kubernetes 版本 1.14 或更高版本支持适用于 Kubernetes 的 Azure Policy 加载项。Azure Policy Add-on for Kubernetes is supported on Kubernetes version 1.14 or higher.
  • 适用于 Kubernetes 的 Azure Policy 加载项只能部署到 Linux 节点池Azure Policy Add-on for Kubernetes can only be deployed to Linux node pools
  • 仅支持内置策略定义Only built-in policy definitions are supported
  • 每个群集每个策略的最大不符合记录数:500Maximum number of Non-compliant records per policy per cluster: 500
  • 每个订阅的最大不符合记录数:1000000Maximum number of Non-compliant records per subscription: 1 million
  • 不支持在 Azure Policy 加载项之外安装 Gatekeeper。Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. 在启用 Azure Policy 加载项之前,卸载由以前的 Gatekeeper 安装的所有组件。Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
  • 不合规原因不适用于 Microsoft.Kubernetes.Data 资源提供程序模式。Reasons for non-compliance aren't available for the Microsoft.Kubernetes.Data Resource Provider mode. 使用组件详细信息Use Component details.
  • 资源提供程序模式不支持免除Exemptions aren't supported for Resource Provider modes.

以下限制仅适用于 AKS 的 Azure Policy 加载项:The following limitations apply only to the Azure Policy Add-on for AKS:

  • 命名空间由 Azure Policy 加载项自动排除以进行评估:kube-system、gatekeeper-system 和 aks-periscope。Namespaces automatically excluded by Azure Policy Add-on for evaluation: kube-system, gatekeeper-system, and aks-periscope.

建议Recommendations

下面是有关如何使用 Azure Policy 加载项的常规建议:The following are general recommendations for using the Azure Policy Add-on:

  • Azure Policy 附加产品需要三个 Gatekeeper 组件才能运行:1 个审核 Pod 和 2 个 Webhook Pod 副本。The Azure Policy Add-on requires three Gatekeeper components to run: 1 audit pod and 2 webhook pod replicas. 随着集群中 Kubernetes 资源和策略分配计数的增加,这些组件会消耗更多的资源,这就需要执行审核和强制操作。These components consume more resources as the count of Kubernetes resources and policy assignments increases in the cluster, which requires audit and enforcement operations.

    • 对于最多具有 20 个约束的单个群集中 500 个以下的 Pod:每个组件 2 个 vCPU 和 350 MB 内存。For fewer than 500 pods in a single cluster with a max of 20 constraints: 2 vCPUs and 350 MB memory per component.
    • 对于最多具有 40 个约束的单个群集中 500 个以上的 Pod:每个组件 3 个 vCPU 和 600 MB 内存。For more than 500 pods in a single cluster with a max of 40 constraints: 3 vCPUs and 600 MB memory per component.
  • Windows Pod 不支持安全上下文Windows pods don't support security contexts. 因此,某些 Azure Policy 定义(例如禁用根权限)不能在 Windows Pod 中升级,仅适用于 Linux Pod。Thus, some of the Azure Policy definitions, such as disallowing root privileges, can't be escalated in Windows pods and only apply to Linux pods.

以下建议仅适用于 AKS 和 Azure Policy 加载项:The following recommendation applies only to AKS and the Azure Policy Add-on:

  • 使用具有 CriticalAddonsOnly 排斥的系统节点池来计划 Gatekeeper Pod。Use system node pool with CriticalAddonsOnly taint to schedule Gatekeeper pods. 有关详细信息,请参阅使用系统节点池For more information, see Using system node pools.
  • 保护来自 AKS 群集的出站流量。Secure outbound traffic from your AKS clusters. 有关详细信息,请参阅控制群集节点的出口流量For more information, see Control egress traffic for cluster nodes.
  • 如果群集启用了 aad-pod-identity,节点托管标识 (NMI) pod 将修改节点的 iptable,以拦截对 Azure 实例元数据终结点的调用。If the cluster has aad-pod-identity enabled, Node Managed Identity (NMI) pods modify the nodes' iptables to intercept calls to the Azure Instance Metadata endpoint. 此配置意味着对元数据终结点发出的任何请求都将被 NMI 拦截,即使 pod 不使用 aad-pod-identityThis configuration means any request made to the Metadata endpoint is intercepted by NMI even if the pod doesn't use aad-pod-identity. 可以将 AzurePodIdentityException CRD 配置为通知 aad-pod-identity 应在不使用 NMI 进行出任何处理的情况下,代理与 CRD 中定义的标签匹配的 pod 所发起的对元数据终结点的任何请求。AzurePodIdentityException CRD can be configured to inform aad-pod-identity that any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. 应通过配置 AzurePodIdentityException CRD 在 aad-pod-identity 中排除在 kube-system 命名空间中具有 kubernetes.azure.com/managedby: aks 标签的系统 pod。The system pods with kubernetes.azure.com/managedby: aks label in kube-system namespace should be excluded in aad-pod-identity by configuring the AzurePodIdentityException CRD. 有关详细信息,请参阅禁用特定 pod 或应用程序的 aad-pod-identityFor more information, see Disable aad-pod-identity for a specific pod or application. 若要配置例外情况,请安装 mic-exception YAMLTo configure an exception, install the mic-exception YAML.

为 AKS 安装 Azure Policy 加载项Install Azure Policy Add-on for AKS

在安装 Azure Policy 加载项或启用任何服务功能之前,订阅必须启用“Microsoft.PolicyInsights”资源提供程序。Before installing the Azure Policy Add-on or enabling any of the service features, your subscription must enable the Microsoft.PolicyInsights resource providers.

  1. 需要安装和配置 Azure CLI 版本 2.12.0 或更高版本。You need the Azure CLI version 2.12.0 or later installed and configured. 运行 az --version 即可查找版本。Run az --version to find the version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

备注

请先运行 az cloud set -n AzureChinaCloud 更改云环境,然后才能在 Azure 中国中使用 Azure CLI。Before you can use Azure CLI in Azure China , please run az cloud set -n AzureChinaCloud first to change the cloud environment. 若要切换回 Azure 公有云,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.

  1. 注册资源提供程序和预览功能。Register the resource providers and preview features.

    • Azure 门户:Azure portal:

      注册“Microsoft.PolicyInsights”资源提供程序。Register the Microsoft.PolicyInsights resource providers. 有关步骤,请参阅资源提供程序和类型For steps, see Resource providers and types.

    • Azure CLI:Azure CLI:

      # Log in first with az login
      az cloud set -n AzureChinaCloud
      az login
      
      # Provider register: Register the Azure Policy provider
      az provider register --namespace Microsoft.PolicyInsights
      
  2. 如果安装了有限预览策略定义,请在“策略”页下删除 AKS 群集中带有“禁用”按钮的加载项。If limited preview policy definitions were installed, remove the add-on with the Disable button on your AKS cluster under the Policies page.

  3. AKS 群集的版本必须是 1.14 或更高版本。The AKS cluster must be version 1.14 or higher. 使用以下脚本验证 AKS 群集版本:Use the following script to validate your AKS cluster version:

    # Log in first with az login
    
    # Look for the value in kubernetesVersion
    az aks list
    
  4. 安装 Azure CLI 2.12.0 或更高版本。Install version 2.12.0 or higher of the Azure CLI. 有关详细信息,请参阅安装 Azure CLIFor more information, see Install the Azure CLI.

完成上述先决条件步骤后,请在要管理的 AKS 群集中安装 Azure Policy 加载项。Once the above prerequisite steps are completed, install the Azure Policy Add-on in the AKS cluster you want to manage.

  • Azure 门户Azure portal

    1. 在 Azure 门户中,选择“所有服务”,然后搜索并选择“Kubernetes 服务”,以启动 AKS 服务。Launch the AKS service in the Azure portal by selecting All services, then searching for and selecting Kubernetes services.

    2. 选择 AKS 群集之一。Select one of your AKS clusters.

    3. 选择“Kubernetes 服务”页左侧的“策略”。Select Policies on the left side of the Kubernetes service page.

    4. 在主页中,选择“启用加载项”按钮。In the main page, select the Enable add-on button.

  • Azure CLIAzure CLI

    # Log in first with az login
    az cloud set -n AzureChinaCloud
    az login
    
    az aks enable-addons --addons azure-policy --name MyAKSCluster --resource-group MyResourceGroup
    

若要验证加载项安装是否成功以及 azure-policy 和 gatekeeper Pod 是否正在运行,请运行以下命令 :To validate that the add-on installation was successful and that the azure-policy and gatekeeper pods are running, run the following command:

# azure-policy pod is installed in kube-system namespace
kubectl get pods -n kube-system

# gatekeeper pod is installed in gatekeeper-system namespace
kubectl get pods -n gatekeeper-system

最后,通过运行此 Azure CLI 命令,并将 <rg> 替换为资源组名称,将 <cluster-name> 替换为 AKS 群集名称 az aks show --query addonProfiles.azurepolicy -g <rg> -n <cluster-name>,来验证是否已安装最新的加载项。Lastly, verify that the latest add-on is installed by running this Azure CLI command, replacing <rg> with your resource group name and <cluster-name> with the name of your AKS cluster: az aks show --query addonProfiles.azurepolicy -g <rg> -n <cluster-name>. 结果应类似于以下输出:The result should look similar to the following output:

"addonProfiles": {
    "azurepolicy": {
        "enabled": true,
        "identity": null
    },
}

Policy 语言Policy language

用于管理 Kubernetes 的 Azure Policy 语言结构遵循现有策略定义。The Azure Policy language structure for managing Kubernetes follows that of existing policy definitions. 使用 Microsoft.Kubernetes.Data 的资源提供程序模式,会使用效果审核拒绝来管理你的 Kubernetes 群集。With a Resource Provider mode of Microsoft.Kubernetes.Data, the effects audit and deny are used to manage your Kubernetes clusters. “审核”和“拒绝”必须提供特定于使用 OPA Constraint Framework 和 Gatekeeper v3 的详细信息属性。Audit and deny must provide details properties specific to working with OPA Constraint Framework and Gatekeeper v3.

作为策略定义中 details.constraintTemplate 和 details.constraint 属性的一部分,Azure Policy 将这些 CustomResourceDefinitions (CRD) 的 URI 传递给加载项 。As part of the details.constraintTemplate and details.constraint properties in the policy definition, Azure Policy passes the URIs of these CustomResourceDefinitions (CRD) to the add-on. Rego 是 OPA 和 Gatekeeper 支持的语言,用于验证对 Kubernetes 群集的请求。Rego is the language that OPA and Gatekeeper support to validate a request to the Kubernetes cluster. 通过支持 Kubernetes 管理的现有标准,Azure Policy 可重用现有规则并将其与 Azure Policy 配对以获得统一的云符合性报告体验。By supporting an existing standard for Kubernetes management, Azure Policy makes it possible to reuse existing rules and pair them with Azure Policy for a unified cloud compliance reporting experience. 有关详细信息,请参阅什么是 Rego?For more information, see What is Rego?.

分配内置策略定义Assign a built-in policy definition

若要为 Kubernetes 群集分配策略定义,系统必须为你分配适当的 Azure 基于角色的访问控制 (Azure RBAC) 策略分配操作。To assign a policy definition to your Kubernetes cluster, you must be assigned the appropriate Azure role-based access control (Azure RBAC) policy assignment operations. Azure 内置角色“资源策略参与者”和“所有者”可进行这些操作。The Azure built-in roles Resource Policy Contributor and Owner have these operations. 若要了解详细信息,请参阅 Azure Policy 中的 Azure RBAC 权限To learn more, see Azure RBAC permissions in Azure Policy.

通过以下步骤,使用 Azure 门户查找用于管理群集的内置策略定义:Find the built-in policy definitions for managing your cluster using the Azure portal with the following steps:

  1. 在 Azure 门户中启动 Azure Policy 服务。Start the Azure Policy service in the Azure portal. 在左窗格中选择“所有服务”,然后搜索并选择“策略” 。Select All services in the left pane and then search for and select Policy.

  2. 在“Azure Policy”页面的左侧窗格中,选择“定义”。In the left pane of the Azure Policy page, select Definitions.

  3. 从“类别”下拉列表框中,使用“全选”清除筛选器,然后选择“Kubernetes” 。From the Category dropdown list box, use Select all to clear the filter and then select Kubernetes.

  4. 选择策略定义,然后选择“分配”按钮。Select the policy definition, then select the Assign button.

  5. 将“范围”设置为将应用策略分配的 Kubernetes 群集的管理组、订阅或资源组。Set the Scope to the management group, subscription, or resource group of the Kubernetes cluster where the policy assignment will apply.

    备注

    为 Kubernetes 定义分配 Azure Policy 时,“范围”必须包括群集资源。When assigning the Azure Policy for Kubernetes definition, the Scope must include the cluster resource. 对于 AKS 引擎群集,“范围”必须是群集的资源组。For an AKS Engine cluster, the Scope must be the resource group of the cluster.

  6. 为策略分配提供可以用于轻松识别它的“名称”和“说明”。Give the policy assignment a Name and Description that you can use to identify it easily.

  7. 策略实施设置为下面的一个值。Set the Policy enforcement to one of the values below.

    • 已启用 - 在群集上强制实施策略。Enabled - Enforce the policy on the cluster. 拒绝带有冲突的 Kubernetes 许可请求。Kubernetes admission requests with violations are denied.

    • 已禁用 - 不在群集上强制实施策略。Disabled - Don't enforce the policy on the cluster. 不拒绝带有冲突的 Kubernetes 许可请求。Kubernetes admission requests with violations aren't denied. 符合性评估结果仍可用。Compliance assessment results are still available. 向运行群集推出新策略定义时,“已禁用”选项可用于测试策略定义,因为不拒绝带有冲突的许可请求。When rolling out new policy definitions to running clusters, Disabled option is helpful for testing the policy definition as admission requests with violations aren't denied.

  8. 选择“下一页”。Select Next.

  9. 设置参数值Set parameter values

    • 若要从策略评估中排除 Kubernetes 命名空间,请在参数“命名空间排除”中指定命名空间的列表。To exclude Kubernetes namespaces from policy evaluation, specify the list of namespaces in parameter Namespace exclusions. 建议排除以下内容:kube-system、gatekeeper-system 和 azure-arc。It's recommended to exclude: kube-system, gatekeeper-system, and azure-arc.
  10. 选择“查看 + 创建”。Select Review + create.

或者,使用分配策略 - 门户快速入门来查找和分配 Kubernetes 策略。Alternately, use the Assign a policy - Portal quickstart to find and assign a Kubernetes policy. 搜索 Kubernetes 策略定义,而不是示例“audit vms”。Search for a Kubernetes policy definition instead of the sample 'audit vms'.

重要

内置策略定义适用于 Kubernetes 类别的 Kubernetes 群集。Built-in policy definitions are available for Kubernetes clusters in category Kubernetes. 有关内置策略定义的列表,请参阅 Kubernetes 示例For a list of built-in policy definitions, see Kubernetes samples.

策略评估Policy evaluation

加载项每 15 分钟使用 Azure Policy 服务签入一次,查看策略分配中的更改。The add-on checks in with Azure Policy service for changes in policy assignments every 15 minutes. 在此刷新周期内,加载项将检查更改。During this refresh cycle, the add-on checks for changes. 这些更改将触发约束模板和约束的创建、更新或删除。These changes trigger creates, updates, or deletes of the constraint templates and constraints.

在 Kubernetes 群集中,如果命名空间具有以下任意一种标签,则不拒绝带有冲突的许可请求。In a Kubernetes cluster, if a namespace has either of the following labels, the admission requests with violations aren't denied. 符合性评估结果仍可用。Compliance assessment results are still available.

  • control-plane
  • admission.policy.azure.com/ignore

备注

虽然群集管理员可能有权创建和更新 Azure Policy 加载项安装的约束模板和约束资源,但这些情况不受支持,因为手动更新会被覆盖。While a cluster admin may have permission to create and update constraint templates and constraints resources install by the Azure Policy Add-on, these aren't supported scenarios as manual updates are overwritten. Gatekeeper 会继续评估在安装加载项和分配 Azure Policy 策略定义之前已存在的策略。Gatekeeper continues to evaluate policies that existed prior to installing the add-on and assigning Azure Policy policy definitions.

每隔 15 分钟,加载项就会调用对群集的完全扫描。Every 15 minutes, the add-on calls for a full scan of the cluster. 在收集完全扫描的详细信息和 Gatekeeper 对群集尝试更改的所有实时评估后,加载项将结果报告回 Azure Policy,以便像所有 Azure Policy 分配一样包含在符合性详细信息中。After gathering details of the full scan and any real-time evaluations by Gatekeeper of attempted changes to the cluster, the add-on reports the results back to Azure Policy for inclusion in compliance details like any Azure Policy assignment. 在审核周期中,仅返回活动策略分配的结果。Only results for active policy assignments are returned during the audit cycle. 审核结果也可以视为已失败约束的“状态”字段中列出的冲突Audit results can also be seen as violations listed in the status field of the failed constraint. 有关不符合资源的详细信息,请参阅资源提供程序模式的组件详细信息For details on Non-compliant resources, see Component details for Resource Provider modes.

备注

适用于 Kubernetes 群集的 Azure Policy 中的每个符合性报告都包含过去 45 分钟内的所有冲突。Each compliance report in Azure Policy for your Kubernetes clusters include all violations within the last 45 minutes. 时间戳指示发生冲突的时间。The timestamp indicates when a violation occurred.

一些其他注意事项:Some other considerations:

  • 如果未向 Azure 安全中心注册群集订阅,则 Azure 安全中心 Kubernetes 策略会自动应用于群集。If the cluster subscription is registered with Azure Security Center, then Azure Security Center Kubernetes policies are applied on the cluster automatically.

  • 在包含现有 Kubernetes 资源的群集上应用拒绝策略时,不符合新策略的任何预先存在的资源将继续运行。When a deny policy is applied on cluster with existing Kubernetes resources, any pre-existing resource that is not compliant with the new policy continues to run. 如果在其他节点上重新计划了不符合的资源,则 Gatekeeper 会阻止资源创建。When the non-compliant resource gets rescheduled on a different node the Gatekeeper blocks the resource creation.

  • 如果群集具有用于验证资源的拒绝策略,则在创建部署时,用户将看不到拒绝消息。When a cluster has a deny policy that validates resources, the user will not see a rejection message when creating a deployment. 例如,考虑包含副本集和 Pod 的 Kubernetes 部署。For example, consider a Kubernetes deployment that contains replicasets and pods. 用户执行 kubectl describe deployment $MY_DEPLOYMENT 时,不会返回拒绝消息作为事件的一部分。When a user executes kubectl describe deployment $MY_DEPLOYMENT, it does not return a rejection message as part of events. 但是,kubectl describe replicasets.apps $MY_DEPLOYMENT 会返回与拒绝关联的事件。However, kubectl describe replicasets.apps $MY_DEPLOYMENT returns the events associated with rejection.

日志记录Logging

作为 Kubernetes 控制器/容器,azure-policy 和 gatekeeper Pod 在 Kubernetes 群集中保留日志。As a Kubernetes controller/container, both the azure-policy and gatekeeper pods keep logs in the Kubernetes cluster. 日志可以在 Kubernetes 群集的“见解”页中公开。The logs can be exposed in the Insights page of the Kubernetes cluster. 有关详细信息,请参阅使用适用于容器的 Azure Monitor 监视 Kubernetes 群集性能For more information, see Monitor your Kubernetes cluster performance with Azure Monitor for containers.

若要查看加载项日志,请使用 kubectlTo view the add-on logs, use kubectl:

# Get the azure-policy pod name installed in kube-system namespace
kubectl logs <azure-policy pod name> -n kube-system

# Get the gatekeeper pod name installed in gatekeeper-system namespace
kubectl logs <gatekeeper pod name> -n gatekeeper-system

有关详细信息,请参阅 Gatekeeper 文档中的调试 GatekeeperFor more information, see Debugging Gatekeeper in the Gatekeeper documentation.

对加载项进行故障排除Troubleshooting the add-on

有关如何对适用于 Kubernetes 的加载项进行故障排除的详细信息,请参阅 Azure Policy 故障排除一文的 Kubernetes 部分For more information about troubleshooting the Add-on for Kubernetes, see the Kubernetes section of the Azure Policy troubleshooting article.

删除加载项Remove the add-on

从 AKS 删除加载项Remove the add-on from AKS

若要从 AKS 群集中删除 Azure Policy 加载项,请使用 Azure 门户或 Azure CLI:To remove the Azure Policy Add-on from your AKS cluster, use either the Azure portal or Azure CLI:

  • Azure 门户Azure portal

    1. 在 Azure 门户中,选择“所有服务”,然后搜索并选择“Kubernetes 服务”,以启动 AKS 服务。Launch the AKS service in the Azure portal by selecting All services, then searching for and selecting Kubernetes services.

    2. 选择要在其中禁用 Azure Policy 加载项的 AKS 群集。Select your AKS cluster where you want to disable the Azure Policy Add-on.

    3. 选择“Kubernetes 服务”页左侧的“策略”。Select Policies on the left side of the Kubernetes service page.

    4. 在主页中,选择“禁用加载项”按钮。In the main page, select the Disable add-on button.

  • Azure CLIAzure CLI

    # Log in first with az login
    
    az aks disable-addons --addons azure-policy --name MyAKSCluster --resource-group MyResourceGroup
    

Azure Policy 加载项收集的诊断数据Diagnostic data collected by Azure Policy Add-on

适用于 Kubernetes 的 Azure Policy 加载项收集有限的群集诊断数据。The Azure Policy Add-on for Kubernetes collects limited cluster diagnostic data. 该诊断数据是与软件和性能相关的重要技术数据。This diagnostic data is vital technical data related to software and performance. 可通过以下方式使用该数据:It's used in the following ways:

  • 使 Azure Policy 加载项保持最新Keep Azure Policy Add-on up to date
  • 使 Azure Policy 加载项保持安全、可靠和高性能Keep Azure Policy Add-on secure, reliable, performant
  • 改进 Azure Policy 加载项 - 通过对加载项使用的聚合分析Improve Azure Policy Add-on - through the aggregate analysis of the use of the add-on

加载项收集的信息不是个人数据。The information collected by the add-on isn't personal data. 当前正在收集以下详细信息:The following details are currently collected:

  • Azure Policy 加载项代理版本Azure Policy Add-on agent version

  • 群集类型Cluster type

  • 群集区域Cluster region

  • 群集资源组Cluster resource group

  • 群集资源 IDCluster resource ID

  • 群集订阅 IDCluster subscription ID

  • 群集 OS(示例:Linux)Cluster OS (Example: Linux)

  • 群集所在城市Cluster city

  • 群集所在州/省/自治区/直辖市Cluster state or province

  • 群集所在国家/地区Cluster country or region

  • 在策略评估的代理安装期间,Azure Policy 加载项遇到异常/错误Exceptions/errors encountered by Azure Policy Add-on during agent installation on policy evaluation

  • Azure Policy 加载项未安装的 Gatekeeper 策略数Number of Gatekeeper policy definitions not installed by Azure Policy Add-on

后续步骤Next steps